Disabling unauthorized forwarding in Outlook.com

Over the past week, I've noticed an increase in user escalations asking to disable unauthorized forwarding. That is, they have a setting in their mailbox where their email is being forwarded to another account.

Users can resolve this themselves: select Options > Mail > Automatic processing > Inbox and sweep rules. Then, look for any mailbox rules that forward to an email address you don't recognize; you can view the description of the forwarding rule when you select it as the description contains the forward-to mailbox.

If you find a forwarding rule that that you didn't set up, delete the rule.

If there are multiple rules, you will want to review them individually to make sure there isn't more than one.

Next, reset your password by going to https://account.live.com/password/reset. Select "I think someone else is using my Microsoft account." Even though you still have access to your account and you can sign in, there is a likelihood someone else is also using your account.

Go through the steps to reset your password. I recommend saving your new password in a password manager because:

(a) While you can save it in your browser via the "Remember me" feature, sometimes you'll clear your cache and need to re-enter it. You'll also need to manually type it in if you check your email on your tablet or phone.

(b) You may be tempted to re-use your password across multiple sites. Don't do this. Let your password manager generate a random one for you, and save it. That way, if your account ever gets compromised, your password can't be used to login to multiple sites elsewhere.

For Tenant Admins in Office 365, it can be useful to remove the ability for a user to configure forwarding at all, by editing the default Management Role. The particular role that includes the DeliverToMailboxAndForward, ForwardingAddress and ForwardingSmtpAddress options is ‘MyBaseOptions’.
This approach does not fight against Inbox rules, though Transport does provide a method to grab these as well. Clause: Message Type is “Auto-Forward”. This leaves normal email forward functionality intact, just no rule-based forwarding.